• Namhyung Kim's avatar
    ftrace: Fix function pid filter on instances · d879d0b8
    Namhyung Kim authored
    When function tracer has a pid filter, it adds a probe to sched_switch
    to track if current task can be ignored.  The probe checks the
    ftrace_ignore_pid from current tr to filter tasks.  But it misses to
    delete the probe when removing an instance so that it can cause a crash
    due to the invalid tr pointer (use-after-free).
    
    This is easily reproducible with the following:
    
      # cd /sys/kernel/debug/tracing
      # mkdir instances/buggy
      # echo $$ > instances/buggy/set_ftrace_pid
      # rmdir instances/buggy
    
      ============================================================================
      BUG: KASAN: use-after-free in ftrace_filter_pid_sched_switch_probe+0x3d/0x90
      Read of size 8 by task kworker/0:1/17
      CPU: 0 PID: 17 Comm: kworker/0:1 Tainted: G    B           4.11.0-rc3  #198
      Call Trace:
       dump_stack+0x68/0x9f
       kasan_object_err+0x21/0x70
       kasan_report.part.1+0x22b/0x500
       ? ftrace_filter_pid_sched_switch_probe+0x3d/0x90
       kasan_report+0x25/0x30
       __asan_load8+0x5e/0x70
       ftrace_filter_pid_sched_switch_probe+0x3d/0x90
       ? fpid_start+0x130/0x130
       __schedule+0x571/0xce0
       ...
    
    To fix it, use ftrace_clear_pids() to unregister the probe.  As
    instance_rmdir() already updated ftrace codes, it can just free the
    filter safely.
    
    Link: http://lkml.kernel.org/r/20170417024430.21194-2-namhyung@kernel.org
    
    Fixes: 0c8916c3 ("tracing: Add rmdir to remove multibuffer instances")
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: stable@vger.kernel.org
    Reviewed-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
    Signed-off-by: default avatarNamhyung Kim <namhyung@kernel.org>
    Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
    d879d0b8
ftrace.c 145 KB